Generation of a digital signature

ABSTRACT

A method and system. A computer iteratively processes a unique condition digest of at least two condition digests in each iteration of a loop for a sufficient number of iterations to process all condition digests of the at least two condition digests. The processing in each iteration includes concatenating a reference digest with the unique condition digest of the iteration to generate a concatenand and hashing the concatenand to generate a hashed concatenand that serves as the reference digest for the next iteration if the next iteration is performed. Each unique condition digest is a different condition digest in each iteration of the loop. The regenerated reference digest of the last iteration of the loop is a last digest.

This application is a continuation application claiming priority to Ser.No. 14/491,206, filed Sep. 19, 2014, which is a continuation applicationto Ser. No. 10/539,648, filed Dec. 17, 2007, U.S. Pat. No. 8,862,886,issued Oct. 14, 2014.

FIELD OF INVENTION

The present invention relates to methods, apparatus and computerprograms for generating and/or using electronic signatures and/or forreporting changes of status of messages, documents and other resources.

BACKGROUND

In ordinary non-electronic commerce, it is quite common for people toadd a handwritten condition above their signatures: conditions such as“subject tocontract”, “delivery required within seven days”,“paid underprotest”, or “without prejudice”. The legal force of some of theseannotations may be questionable, but to the person who writes thecomment that does not matter—what matters is that people want to addthese conditions. In other cases, conditions may be crucial to abusiness negotiation.

In electronic commerce, there is typically no opportunity to specifyconditions in this way, and so a decision has to be made as to whetherto electronically sign without conditions or not to sign. A vendor maylose on-line sales because of a minor legal question which the potentialpurchaser did not feel able to resolve on-line; or a customer who doessign may be deterred from future purchases. Unhappy customers do notcome back.

These examples are typical of business-to-consumer applications, butbusiness-to-business applications have the same need, There have beenpress reports of a busy goods-inwards manager who was asked to sign whatappeared to be a delivery note fora vending machine and who did notrealize he was in fact signing a personal agreement to lease the vendingmachine for several years. When his company decided to changevending-machine supplier, the supplier approached the manager personallyfor him to fulfill the contract he signed. Regardless of whether anindividual court would uphold the contract or find it invalid andunenforceable, it would have been better for the manager if he had beenable to add a condition (preferably drafted by his company's legaladvisers) saying that he was signing only to confirm delivery. This isnot made possible by typical electronic commerce solutions.

Digital signatures can be used for the same purposes as handwrittensignatures-to confirm the signer's acceptance of an agreement and toauthenticate a document or message. Generally, a digital signature mustbe able to confirm the identity of the signer. The simple form of adigital signature for a message is to apply acryptographic “hash” or“digest” function (using an algorithm such as the Message Digestalgorithm MD5 or the Secure Hashing Algorithm SHA/1) to the message toproduce a short digest representing the longer message. The digest orhash value is a fixed size string produced by applying the hash functionto an input which may be of almost any length. The digest is thenencrypted with the signer's private signature key to yield a signatureblock for the message (for example using the Digital SignatureAlgorithm, DSA). The message, the signature block, the algorithms usedfor hashing and encryption, and a way of obtaining the signer's publickey are all sent to the recipient who can confirm the validity of thesignature block by hashing the message, decrypting the signature block,and comparing the resulting short digests. The public key may be, forexample, obtained from a digital certificate issued by a trusted thirdparty.

A dual private/public key cryptographic system is disclosed in, forexample, U.S. Pat. No. 5,157, 726. U.S. Pat. No. 5,157,726 disclosessuch a system for authenticating a digital signature. A document issigned using the secret key and then the public key is used for checkingauthenticity. Processes for creating digital signatures are exemplifiedin U.S. Pat. Nos. 4,881,264, 4,309,569, 4,625,076 and U.S. Pat. No.4,656,474 and in international standards ISO 9796 and CCITT X509).

Byounngcheon Lee and KwangjoKim, Fair Exchange of Digital SignaturesUsing Conditional Signature', Symposium on Cryptography and InformationSecurity (SCIS) 2002,29 January-1 February 2002, Shirahama, Japan,refers to conditional signatures'. This allows signer-chosen conditionsto be used as private negotiation statements in two-partycommunications, and focuses in particular on the achievement of a fairexchange' of unconditional signatures in response to verification ofconditional signatures. The conditional signatures' of Lee et al aresignatures on a message and condition together, and specifically asignature using a conventional signature scheme to sign a combination ofthe message and a function of the condition.

There remains a need in the art for solutions which address one or moreof the problems which are unresolved by the above references, such assolutions which offer users some of the apparent increased flexibilityof non-electronic solutions.

SUMMARY OF INVENTION

Aspects of the present invention provide methods, apparatus and computerprograms for generating and using conditional electronic signatures. Amethod for generating a conditional electronic signature according to afirst aspect of the invention, performed in response to one or moreconditions being specified for an electronic signature of a data item,comprises the steps of: encrypting the data item, encrypting the one ormore conditions separately from the data item, combining the encrypteddata item and the encrypted one or more conditions, and encrypting thecombination to generate a digital signature block that inherentlyrepresents the data item and the one or more conditions and enablescryptographic verification of both the data item and the one or moreconditions.

The data item may be a message, a document, an image file, or any otherdata resource.

If a plurality of conditions are specified by different sources or atdifferent times, each condition is preferably separately encrypted (i.e. separate from each other as well as separate from the data item)before being combined and further encrypted.

The encryption of the data item and separate encryption of theconditions are preferably one-way hashing steps producing concise,verifiable representations of the original data item and conditions.

The steps of combining the hashed data item and conditions and thenencrypting the combination preferably comprise the steps of:concatenating the hashed data item and hashed conditions, hashing theproduct of the concatenation to produce a final digest; and furtherencrypting the final digest to produce a conditional signature. The stepof encrypting the final digest preferably uses a private key of apublic/private key cryptographic solution.

In an alternative implementation, cryptographic processing other thanhashing-such as Cipher Block Chaining (CBC)—is used for encrypting eachof the data item and the conditions, and for the step of encrypting theconcatenand which results from the concatenation of these two encrypteditems. The cryptographic process selected for performing the encryptionof the concatenand is one-such as a CBC process-which operatesdifferently on each half of the concatenand according to what is in theother half, so that the encryption block obtained by encrypting theconcatenand could not be obtained by separately encrypting each half ofthe concatenand and then concatenating. This provides assurance that averification of a digital signature applied to the concatenand will notgive a positive result if a message and a condition are put together bysomeone who is not authorized to do so.

In an alternative embodiment of the invention, for communicatingdocuments within a closed group of participants who are authorizedsignatories, the final digest may be signed using a symmetric key knownonly to members of the group. Each member of the group will be able toverify the signature to check that the data item and condition have beensigned by a member of the group.

A digital signature' or electronic signature' in the context of thepresent specification are the results of digital processing of an itemwhich enable authentication of the item. Once digitally signed, anychanges to the signed item will result in an identifiable loss ofauthenticity. Such signatures may be verifiable digital identifiers of asignatory (such as an author, acknowledger, or approver) including boththose with and those without a digitized image of the signer'shandwritten signature. The generation of such digital images is wellknown in the art. To simplify the following description, examplesolutions will be described which do not include such images.

A condition'in the context of the present specification may be anabsolute requirement, without which a contract signatory considers hisor her signature not binding. The condition may or may not require someaction such as an explicit acceptance by the recipient of the signeddata item. Alternatively, a condition' may be a comment or preferencewhich states the intention or understanding of the signatory but whichis not an absolute requirement. The word condition' is used herein torefer to both absolute requirements and comments. The present inventionenables conditions to be linked unambiguously to signed data items andto the identity of the signatory.

Preferred embodiments of the invention enable more than one condition tobe specified and separately signed. In particular, different conditionsmay be specified by different parties to an electronic communication ortransaction or at different stages of a negotiation. Preferredembodiments of the invention support multiple messages or other dataitems from different sources being cryptographically signed, combinedand further encrypted, and distributed in an encrypted form. Support isalso provided for multiple messages which are each intended to beintelligible to different recipients, and which are encrypted using thepublic keys of the specific recipients who are entitled to read thedifferent messages. All recipients can use the digest hierarchy toensure that no part of the set of messages has been changed.

Separate encryption of data items and conditions, separate encryption ofeach of a plurality of conditions, and applying a digital signature to acombination of the separate encrypted items, provides the advantage thateach component can be verified if the relevant signature blocks areavailable for verification. Furthermore, specific encrypted componentsmay be decrypted without exposing other components in a clear text form.This may be especially useful where not all communicating entities haveauthorized access to all components of an encrypted package (theoriginal data item and conditions) and different entities have authorityto see different components. There may be a number of differentsignatories involved in a single transaction, each signatory eithertransmitting a document (or a representation of it) or providing anapproval or other comments or conditions. Different components may beverified by different entities or at different times.

In alternative embodiments, the invention may be used to enableauthentication (validating the authenticity of a message and associatedconditions) without any restriction on read access to the message orconditions. Each addition of a condition to a data item is accompaniedby the step of generating a new hash value or a new digital signature,and then the hash value or signature is included within a transmissionpackage which also includes the data item and the condition.

A method of verifying an electronic signature according to an embodimentof the invention comprises the steps of: decrypting the signature usinga public decryption key and comparing the decrypted signature with thefinal digest resulting from the previously described hashing of theproduct of the concatenation. In this way, verification of both the dataitem and the conditions can be performed-potentially without everconverting original messages or conditions to a cleartext form. Thismaintains security-for example if not all participants in acommunication are authorized to see the originals but they areauthorized to verify authenticity using the public key,

Another important potential benefit of the present invention is reducednetwork traffic, compared with verification solutions that requirereturn to the originator of an actual digital contract before theverification processing can begin, since one embodiment of the presentinvention involves return of a signed hash value only. A particularapplication in which this benefit is emphasized is one in which it isthe sender of a signed data item who wishes to verify that an unalteredversion of the data item was successfully received. Returning a signeddigest to the sender can enable the sender to decrypt and verify thatthe decrypted digest is as expected.

In an embodiment in which a message can contain material destined fordifferent addressees, an addressee who has no need for materialaddressed to someone else can save network time and storage space byreceiving only digests of extraneous material.

In many commerce applications, a recipient of a signed message uses themessage to prepare one or more forms, such as an order form or a paymentinstruction. If the signer is not willing to sign the message exactly assent, his or her intentions will be much clearer to the recipient if hisor her conditions are made available to the recipient by adding aseparate condition rather than by editing the message to be signed. Thepresent invention provides a mechanism for adding such conditions.

According to another aspect of the invention, there is provided anelectronic signature processing apparatus for generating a conditionaldigital signature in accordance with a method described above.

A further aspect provides and apparatus for verifying the authenticityof a data item and one or more associated conditions in accordance witha method described above.

The present invention may be implemented in a computer program product,comprising program code recorded on a machine-readable recording medium,for controlling the operation of a data processing apparatus on whichthe program code executes.

Further aspects of the invention provide a method, apparatus andcomputer program for disseminating a change of status of a data itemsuch as a document, including disseminating status change information toeach recipient of the data item which received the data item prior tothe status change. Such a solution is advantageous for handlingcountermanding in the context of electronically signed documents, wherea first authorized approver signs a document or comment to indicateapproval and then a second authorized approver reverses that approval.

BRIEF DESCRIPTION OF DRAWINGS

Preferred embodiments of the present invention are described in moredetail hereafter, by way of example, with reference to the accompanyingdrawings in which:

FIG. 1 shows a sequence of steps of a method for generating aconditional signature according to a first embodiment of the invention;

FIG. 2 shows a sequence of steps of a method for verifying a conditionalsignature according to an embodiment of the invention;

FIG. 3 shows the steps of a method for adding several conditions to amessage according to an embodiment of the invention; and

FIG. 4 is a schematic representation of apparatus which is suitable foruse in a method according to the invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

FIG. 1 shows a process for the construction of a simple conditionalsignature. The inputs to the process are the original message 10 to besigned, the statement of the conditions 20 that the signatory isattaching to his signature, and the private key 30 of the signer'spublic/private key pair for signing. Controls (in DEM terms) to theprocess are the hashing function and the encryption function to be used.

The message and the condition are both hashed 40 to produce digests 50.These digests are concatenated 60, the digest of the message first andthe digest of the condition second. The concatenand 70, or doubledigest, is then itself hashed 80, producing the final digest 90. This isthen encrypted 100 with the private key 30, producing the conditionalsignature block 110.

The message, the condition, and the conditional signature block are thensent to the recipient together with the algorithms used for hashing andencryption and the signer's public key (or information regarding how toobtain it). In this first implementation, the recipient is able todecrypt the conditional signature block to retrieve the final digest,and also to replicate the hashing and concatenation steps on theoriginal message and condition to re-create the final digest. These twoversions can then be compared. If the two versions of the final digestare equal, the message and condition are authentic. If not equal, themessage and condition cannot be relied on. In this first implementation,there is no restriction on read access to the message or condition-thesole purpose of the hashing, concatenation and encryption steps are toenable verification of authenticity.

In a second implementation of the invention, only the final signatureblock and the initially hashed message and hashed condition (the twoinitial digests) are transmitted to the recipient. In this case,verification can be performed without exposing either the message or theconditions during the verification processing. This enables verificationto be performed by an entity which is not authorized to receive theoriginal message and/or condition in cleartext form.

FIG. 2 shows a sequence of steps for verifying a conditional signaturegenerated according to the first implementation of the inventiondescribed above. The recipient can confirm that the received conditionalsignature is valid-that is, that the conditional signature block wasproduced by means of the above process using the above inputs-bycreating the final digest as above and comparing it 120 with the result130 of decrypting 140 the conditional signature block 150 using thepublic key 160 of the public/private key pair.

The process of separately hashing messages and conditions provides amechanism that allows the recipient to separately verify that each ofthe original message and conditions are unmodified, since alterations tothe original message or condition will change the values of therespective digests. When any such modification has taken place, thesigned final digest will not be equal to the calculated final digest.Such hashing of the initial inputs also saves on communication overheadsin cases where only the digests need to be transmitted for verificationpurposes—as compared with solutions requiring transmission of originaldocuments and conditions to a verifier entity. There is also a potentialsecurity benefit here—if one or more messages or conditions is not to berevealed to an addressee, the solution's avoidance of the need totransmit the original message or condition maintains the requiredsecurity.

Hashing a concatenation of the digests resulting from separately hashingthe message and conditions is desirable since it allows a determinationof whether the message and conditions have been altered, but alsoassures the recipient that they were combined by the signer. With someencryption algorithms, typically those which do not use Cipher BlockChaining (CBC), the encryption of a concatenation is the same as theconcatenation of the encryptions:

E (k, concat (x, y))=concat (E (k, x), E (k, y))

Such cryptographic methods enable use of a message and a conditiontogether when they do not belong together. The hashed double digestsolution within the present embodiment of the invention, andcryptographic signing of the resulting final digest, does not have thisproblem.

Signing the final digest (for example using the signer's privateencryption key) ensures that the final digest is unalterable withoutdestroying its authenticity. In the present embodiment, nobody exceptthe signer has access to the private key and so only the signer canperform the particular encryption.

The process described above not only confirms that it was the signerhimself or herself who created the signature; it also confirms thatneither the message nor the condition have been changed since theconditional signature block was created.

The process described above can be extended by repeating theconcatenation and hashing of the resultant double digest, as representedin FIG. 3, so that users (possibly a plurality of users with differentroles in a communication or negotiation) can add multiple separateconditions if required. Thus the processing of the additional condition200 shown in FIG. 3 is representative of the processing of any othersuch additional conditions of said multiple separate conditions. Furtherextensions include applying procedures for timestamping of theconditional electronic signatures.

In FIG. 3 a message 10, representing a data item, is hashed 40 togenerate a digest 50 of the message 10. The conditions 20 and 200 areeach hashed 40 separately from each other and separately from themessage 10 to generate the digests 50 and 210 respectively correspondingto the conditions 20 and 200. Each additional condition 200 of themultiple separate conditions is similarly hashed 50 to generate thecorresponding digest 210. Thus, the digests 50 and 200 collectivelyrepresent multiple digests.

FIG. 3 depicts processing the multiple digests in an loop (i.e., in aniterative process), wherein each iteration of the loop concatenates areference digest with a unique digest of the multiple digests, whereinthe reference digest is an output digest of the immediately precedingiteration. Initially, the reference digest is the digest 50 resultingfrom hashing 40 the message 10. In the first iteration, the referencedigest 50 is concatenated with the unique digest of the first iteration(i.e., the unique digest resulting from the hash of the condition 20) togenerate a concatenand (i.e., the double digest 70), The concatenand 70is hashed 80 to generate a hashed double digest 90 which becomes thereference digest for the second iteration. In the second iteration, thereference digest 90 is concatenated with the unique digest of the seconditeration (i.e., the digest 210) to generate a concatenand (i.e., thedouble digest 230). The concatenand 230 is hashed 240 to generate thereference digest for a third iteration (if there is a third iteration)or the final digest 250 (if there is no third iteration, as in FIG. 3).The reference digest outputed from the last iteration of the loop iscalled the “last digest” (e.g., the final digest 250 in FIG. 3).

In FIG. 3, the last digest final digest 250) is encrypted 100 togenerate a digital signature block or signature 260. The encrypting 100comprising signing the last digest with a digital signature comprised bya signer who performs the signing using a private key 30. The digitalsignature block or signature 260 represents the message 10, thecondition 20, and condition(s) 200 and enables cryptographicverification of the message 10, the condition 20, and condition(s) 200.

When there is a sequence of conditions, either created at one time or atdifferent times, it is satisfactory for some applications for the finaldouble digest to be signed. However, if this alone is signed then arecipient is unable to check interim signatures and has to take the wordof the final signer that the whole structure is authorized. In the casewhere all the conditions are being asserted by the same person (forexample when a house purchase is subject to contract, subject tomortgage and subject to survey) the presence of only one signature forthe set of conditions is often acceptable. Another situation is wherethere are several signers but the identity of one or more of the interimsigners is to be kept secret. In this case, signing only the finaldigest can be advantageous.

However, in cases in which there are several signers and recipients needto be able to confirm all the interim signatures, all the signatureblocks must be available. Two implementations for satisfying thisrequirement are as follows:

-   1. The construction of each new double digest is performed by    concatenating the preceding double digest to the hash of the new    condition and hashing the result. All necessary signature blocks are    then sent to the recipients alongside this construction. In addition    to the final signature block, the signature blocks for interim    double digests are necessary in those cases for which all signing    actions are required to be verified.-   2. In an alternative implementation, each new double digest is    constructed by concatenating the previous signature block to the    hash of the new condition and hashing the result. This    implementation does not allow for the omission of interim    signatures.

An example hardware environment is shown schematically in FIG. 4, inwhich a first user computer 300 is connected to a network 340—such asthe Internet or an intranet or other network-and is running computerprograms which enable sending and receiving of documents to and fromother network-connected computers 310, 320, 330. The first computer 300operates in accordance with computer programs 350, 360 stored on acomputer readable medium to perform hashing, concatenation andencryption/decryption steps either for generating (350) conditionalelectronic signatures, verifying (360) such signatures to checkauthenticity of received documents, or both.

As described in further detail herein, preferred embodiments of thepresent invention include a data processing system comprising one ormore computers which operate in accordance with computer programsinstalled thereon to generate, verify or use conditional electronicsignatures.

Some portions of the following description are explicitly or implicitlypresented in terms of algorithms and symbolic representations ofoperations on data within a computer memory. These algorithmicdescriptions and representations are typical of the notation found mosteffective by those skilled in the data processing arts to convey thesubstance of their work to others skilled in the art. An algorithm isconceived to be a self-consistent sequence of steps leading to a desiredresult. The steps are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of electrical or magnetic signals capable of being stored,transferred, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, digests, elements, components,symbols, characters, terms, numbers, or the like.

However, the above and similar terms are to be associated with theappropriate physical quantities and are merely convenient labels appliedto these quantities. Throughout the present specification, discussionsutilising terms such as “computing”, “calculating”, “determining”,“comparing”, “generating”, “selecting”, “outputting”, or the like, referto the action and processes of a computer system, or similar electronicdevice, that manipulates and transforms data represented as physical(electronic) quantities within the registers and memories of thecomputer system into other data similarly represented as physicalquantities within the computer system memories or registers or othersuch information storage, transmission or display devices.

The present specification also discloses apparatus for performing theoperations of the methods. Such apparatus may be specially constructedfor the required purposes, or may comprise one or more general purposecomputers or other devices selectively activated or reconfigured by acomputer program stored in the computer. The algorithms presented hereinare not inherently related to any particular computer or otherapparatus. Various general purpose machines may be used with programs inaccordance with the teachings herein. Alternatively, the construction ofmore specialised apparatus to perform the required method steps may beappropriate.

In addition, the present specification also discloses a computerreadable medium and a computer program recorded thereon for performingthe operations of the methods. The computer readable medium is takenherein to include any transmission medium for communicating the computerprogram between a source and a destination. The transmission medium mayinclude storage devices such as magnetic or optical disks, memory chips,or other storage devices suitable for interfacing with a general purposecomputer. The transmission medium may also include a hard-wired mediumor a wireless medium (such as exemplified in the GSM mobile telephonesystem). The computer programs implementing the invention are notintended to be limited to any particular programming language orimplementation thereof. It will be appreciated that a variety ofprogramming languages and coding thereof may be used to implement theteachings of the disclosure contained herein.

Where reference is made in any one or more of the accompanying drawingsto steps and/or features, which have the same reference numerals, thosesteps and/or features have for the purposes of this description the samefunction (s) or operation (s), unless the contrary intention appears.

A specific embodiment of the invention will now be described, using amathematical notation. The cryptographic procedure described below(symmetric-key encryption) is an example of a suitable cryptographicprocedure which avoids the processing delays of some alternativecryptographic solutions, but other known cryptographic operations may beused such as slower public key encryption.

Let concat (x, y) be defined to be the bit-string that results from theconcatenation of bit-string x and bit-string y.

Let h (x) be defined to be the short bit-string that results fromapplying the hash (alias digest) algorithm h to the bit-string x.

It has been shown that, for the hash algorithms SHA/1 and MD5, h (concat(h (x), h(y))) preserves cryptographic strength. That is, even if I knowall three of the bit-string x, the bit-string y, and the algorithm h, itis very difficult to find bit-strings a and b—one at least of which isdifferent from x and y—such that: h (concat (h (a), h (b))))=h (concat(h(x), h (y))).

Very difficult in this context means at least as difficult as finding pnot equal to q such that h (p)=h (q). Therefore, “double digesting”doesnot introduce any weakness into the system.

Let E (k, x) be defined to be the bit-string that results fromencrypting the bit-string x using the key (also a bit-string) k, when kis not zero.

Let E(0, x) be defined to be equal to x.

Let m1, m2, . . . mk (where k is a positive integer) be the messagesthat are to be signed and c0, c1, c2, . . . cn (where n is a positiveinteger) be the conditions or comments that are to be attached.

Let p1, p2, . . . pk be the public keys of the entities which are to beable to read each of the messages.

Different messages aimed at different recipients but signed together areuseful. It may be important to a merchant to know that a customer hassent a message to their bank authorizing payment. However, whenever themerchant does not need to know the details of the customer's account,the customer should be able to keep that information confidential. Itmay be important to the bank to have a digest which identifies thetransaction for which payment is requested, but the bank does not needto know what the customer is buying and the customer may wish to retainconfidentiality.

Let q1, q2, . . . qn be the public keys of the entities which are to beable to read each of the conditions.

Any p or q value may be zero if the corresponding message or conditionis not confidential.

Let r1, r2, . . . rk and t1, t2, . . . tn be random symmetric keys.

The“multiple message digest”, which represents the message set m1, m2, .. . mi as a whole, is to be called Mi.

M1=h (E (r1, m1)) and the crypto block E (p1, r1) is to accompany M1.

Ifi>1 then Mi=h (concat((M (i−1)), h (E (ri, mi)))) and the digests h (E(r1,m1)), h (E (r2, m2)), . . . h (E (ri, mi) and the crypto blocks E(p1,r1), E (p2, r2), . . . E (pi, ri) are to accompany Mi.

Mk is then a multiple message digest which represents the completemessage set m1, m2, . . . mk as a whole.

Let s1, s2, . . . sn be the secret keys of the signatories of conditionsc1, c2, . . . cn respectively.

The “conditional signature”, which represents Mk and the conditions c1,c2, . . . cj as a whole, is to be called Sj.

S1=E (s1, h (concat (Mk, h (E (t1, c1))))) and the digests h (E (r1,m1), h (E (r2, m2)), . . . h (E (rk, mk)), . . . h (E (t1, c1)) and thecrypto blocks E (p1, r1), E (p2, r2), . . . E (pk, rk) and E(q1, t1),are to accompany S1.

If j>1 then Sj=E (sj, h (concat((S (j−1)), h (E (tj, cj))))) and thedigests h (E (r1, m1), h (E (r2, m2)), . . . h (E (rk, mk)) and h (E(t1, c1), h (E (t2,c2)), . . . h (E(tj, cj) and the crypto blocks E(p1,r1), E (p2, r2), . . . E (pk, rk) and E(q1,t1), E (q2, t2), . . .E(qj, tj) are to accompany S1.

Sn is then the final conditional signature.

The embodiments of the invention described above in detail usepublic/private key encryption for signing the final digest. While thisis a convenient technique for many applications, other digital signaturetechniques which use a key known only to an approved signer are alsosuitable.

Within a closed group, it is acceptable for some applications for thefinal digest to be signed with a symmetric key known only to the group.Each member of the group will then be able to check the signature and besure that the message and the condition have been signed by a member ofthe group, although possibly not knowing for certain which member of thegroup signed. Such a symmetric key solution is generally not acceptablewhen sending messages outside a closed group, since in that case sendinga key which enables checking of the signature also enables creation ofan alternative signature using different messages or conditions. Signingthe message using a private key solves this problem-although in someapplications it is acceptable for a private key to be shared by a groupof people.

Symmetric key encryption is generally faster than public/private keyencryption. However, when signing an MD5 digest (16 bytes long) oraSHA/1 digest (20 bytes long) the size of the item being encrypted isnot sufficiently long for the faster processing of symmetric-keyencryption to be a significant improvement.

The conditional signature solution described above handles the situationwhere a document signed by one person has to be forwarded to anotherperson for approval or verification before action is taken. Anothersituation which is not solved by known solutions is where one persongives approval, but another person countermands that approval. Forsimplicity, the following description will assume that thecountermanding person has the authority to issue countermands.

Described below is a data processing system and a process, implementablein software, which can handle such countermanding.

One application of conditional signatures is to handle a document whichneeds two or more signatures before it is approved. The first signatorysigns the document adding any necessary comment and the second signatoryany necessary follow-up comment and signs the result. Taking an examplefrom Canon law, a priest wishing to publish a book sends the text to anofficial in his bishop's office who reads the text. All being well, theofficial endorses the book “nihil obstat” (or “nothing stands in itsway”). The bishop can then endorse the book “imprimateur” (or “let it beprinted”).

The solution is not limited to any specific document status. Forexample, a document may even be signed subject to conditions such thatthe approval indicated by the signature is subject to legal appealproceedings (for example, for the period of any applicable deadline forthe filing of an appeal).

Some enterprises, which allow their officers to make decisions andauthorize documents, also allow the functional superiors of thoseofficers to countermand the initial authorization. Althoughcountermanding will not always be a desirable practice, there is a needfor a solution which handles countermanding of approvals in thoseenterprises in which the practice is permitted. A system and method forsolving this problem are described below, which ensure that everyone whohas received a copy of the initial authorization will receive a copy ofthe countermand, This includes those to whom the original signatory sentthe signed document, but also those who have received a copy by a moreindirect route.

The Open Group standard X.509 version 2 describes a related solution forthe specific case of documents which are public-key certificates. When aCertificate Authority (CA) issues a public-key certificate assertingthat an entity known by a particular name has a particular public key,then the form of the public-key certificate contains an address fromwhich a Certificate Revocation List (CRL) can be obtained. The CRLcontains a list of those certificates which were issued by theauthority, but which have subsequently been revoked (such as because thekey owner has left the CA's organization, or because the correspondingprivate key has become compromised, or because the certificate wasissued in error, or because the certificate was obtained by fraud). Thenature of a CA, and the format of a public-key certificate, an address,and a CRL are all defined in the standard.

As well as being restricted to a fixed form of message, the CRL processdescribed in the standard make no effort to send the CRL to anyone, letalone to everyone who has received the original message.

The solution supporting countermanding comprises three parts:

-   1. “Active content” is automatically included in the condition when    someone in an organization that permits countermanding signs a    document. The active content may be implemented using MicroActiveX    controls or, as in the preferred implementation, as a Java™ “aglet”    comprising encapsulated code which can be run by a Java runtime    system on any platform to which the message is sent-the general    solution is independent of the specific active content tool used.    Every time the document is forwarded to someone else, this active    content is executed and it sends the address (for example, the    e-mail address) of each recipient to a register of recipients    maintained by the organization.-   2. An advanced e-mail system (for example, the Lotus Notes    communication software from Lotus Development Corporation)    recognizes the difference between a message which contains a simple    epilogue identifying the author (which could be forged, but which is    adequate for most informal e-mail) and a message which is to be    cryptographically signed using the author's private key. The latter    can be forged only if someone can find the password the author uses    to protect the private key. The countermanding solution extends the    e-mail system so that the e-mail system:-   i. recognizes the presence of active content in a signed message,    and executes the active content whenever the message is forwarded;-   ii, creates appropriate active content when a message is signed (a    new option of “sign as instruction” is provided within the e-mail    system to allow for an organization's wish to use the additional    feature only when necessary); and-   iii. recognizes the act of countermanding a message, which the    e-mail system sends to the registry.

3. The third part of the solution is the register which is linked intothe e-mail system so that it receives and retains the information itreceives fromeach “signed-as-instruction” message's aglet. When acountermand is received, the e-mail system sends that countermand to alladdresses registered as having received the original message.Additionally, the register keeps records of messages and countermands sothat, if one of the recipients later forwards the message to an extraperson, the register and e-mail system cooperate to send that extraperson the countermand as well.

Since the active content (aglet) is a part of the condition attached tothe message when it is signed, nobody can remove the aglet withoutaltering the digest of the condition and thus invalidating the signingand cancelling the authorization.

More generally, the solution described above in relation tocountermanding can be used for notification of any changes of status ofa document or other data item. A countermanded message is a specificcase of the more general situation where a documents status can bechanged by a subsequent decision. The new status can be added to thedocument in the way described above for the conditional signaturesolution; and the new status can be communicated to all recipients ofthe document using the status change notification solution.

Another example application of the status change reporting solution isfor reporting the reclassification of a document; from Restricted toSecret, say, or from Secret to Top Secret.

Method steps which achieve the status change reporting according to anembodiment of the invention include:

-   -   creation of active content for appropriate messages, using an        appropriate active content writing mechanism;    -   recognition and execution of the active content by either the        sender or the receiver of the message;    -   responsive to the submission of countermands or other changes of        status, accessing a register which maintains a complete        distribution list for such status changes and distributing a        notification of the changes in status.

The register itself may be a distributed function and implemented bycooperating registers, each of which maintains the distribution list ofrecipients in its own area and forwards details of other recipients tothe registers for their areas. However, an organisation may choose toimplement a single register in circumstances where a full audit recordof changes of status of the message or document is required.

1. A method, said method comprising: a computer iteratively processing aunique condition digest of a plurality of condition digests in eachiteration of a loop for a sufficient number of iterations to process allcondition digests of the plurality of condition digests, said processingin each iteration comprising concatenating a reference digest with theunique condition digest of the iteration to generate a concatenand andhashing the concatenand to generate a hashed concatenand that serves asthe reference digest for the next iteration if the next iteration isperformed, each unique condition digest being a different conditiondigest in each iteration of the loop, the regenerated reference digestof the last iteration of the loop being a last digest.
 2. The method ofclaim 1, said method further comprising: said computer encrypting thelast digest to generate a digital signature block that represents a dataitem and a plurality of conditions specified for a digital signature,said digital signature block comprising the digital signature.
 3. Themethod of claim 2, wherein the digital signature block enablescryptographic verification of both the data item and the plurality ofconditions.
 4. The method of claim 2, wherein said encrypting comprisessigning the last digest with the digital signature.
 5. The method ofclaim 4, wherein said signing is performed by a signer and representsacceptance of the data item by the signer subject to the plurality ofconditions.
 6. The method of claim 4, wherein said signing is performedby a signer and represents acceptance of the data item by the signer,and wherein said acceptance is not subject to the plurality ofconditions.
 7. The method of claim 2, wherein the reference digest isequal to a digest of the data item, and wherein the digest of the dataitem is formed from a hashing of the data item.
 8. The method of claim2, said method further comprising: said computer hashing each conditionof the plurality of conditions separately from each other and separatelyfrom the data item to generate the plurality of condition digestsrespectively corresponding to the plurality of conditions.
 9. The methodof claim 2, said method further comprising: said computer generating acommunication, wherein the communication comprises the digital signatureblock, the data item, and the plurality of conditions; and said computersending the communication across a network to a recipient.
 10. Themethod of claim 2, said method further comprising: said computergenerating a communication, wherein the communication comprises thedigital signature block and does not comprise the data item and does notcomprise the plurality of conditions; and said computer sending thecommunication across a network to a recipient.
 11. The method of claim2, wherein the method further comprises: said computer hashing a newcondition to generate a digest of the new condition; said computerconcatenating the digital signature block with the digest of the newcondition to generate a new digest; said computer hashing the new digestto generate a hashed new digest; and said computer encrypting the hashednew digest to generate a new digital signature block that represents thedata item, the plurality of conditions, and the new condition andenables cryptographic verification of the data item, the plurality ofconditions, and the new condition.
 12. A computer program product,comprising a machine-readable recording medium having program coderecorded thereon, said program code upon being executed by a computerperforms a method for generating a digital signature of a data item,said method comprising: said computer iteratively processing a uniquecondition digest of a plurality of condition digests in each iterationof a loop for a sufficient number of iterations to process all conditiondigests of the plurality of condition digests, said processing in eachiteration comprising concatenating a reference digest with the uniquecondition digest of the iteration to generate a concatenand and hashingthe concatenand to generate a hashed concatenand that serves as thereference digest for the next iteration if the next iteration isperformed, each unique condition digest being a different conditiondigest in each iteration of the loop, the regenerated reference digestof the last iteration of the loop being a last digest.
 13. The computerprogram product of claim 12, said method further comprising: saidcomputer encrypting the last digest to generate a digital signatureblock that represents a data item and a plurality of conditionsspecified for a digital signature, said digital signature blockcomprising the digital signature.
 14. The computer program product ofclaim 13, wherein the digital signature block enables cryptographicverification of both the data item and the plurality of conditions. 15.The computer program product of claim 13, wherein said encryptingcomprises signing the last digest with the digital signature.
 16. Thecomputer program product of claim 13, wherein the reference digest isequal to a digest of the data item, and wherein the digest of the dataitem is formed from a hashing of the data item.
 17. A data processingapparatus comprising a computer and a machine-readable recording mediumcoupled to the computer, said recording medium storing program code thatwhen executed by the computer performs a method for generating a digitalsignature of a data item, said method comprising: said computeriteratively processing a unique condition digest of a plurality ofcondition digests in each iteration of a loop for a sufficient number ofiterations to process all condition digests of the plurality ofcondition digests, said processing in each iteration comprisingconcatenating a reference digest with the unique condition digest of theiteration to generate a concatenand and hashing the concatenand togenerate a hashed concatenand that serves as the reference digest forthe next iteration if the next iteration is performed, each uniquecondition digest being a different condition digest in each iteration ofthe loop, the regenerated reference digest of the last iteration of theloop being a last digest.
 18. The data processing apparatus of claim 17,said method further comprising: said computer encrypting the last digestto generate a digital signature block that represents a data item and aplurality of conditions specified for a digital signature, said digitalsignature block comprising the digital signature.
 19. The dataprocessing apparatus of claim 18, wherein the digital signature blockenables cryptographic verification of both the data item and theplurality of conditions.
 20. The data processing apparatus of claim 18,wherein said encrypting comprises signing the last digest with thedigital signature.